What is password hashing?

Password hashing is a process that transforms your password into a jumbled, unrecognizable string of characters (the “hash”). This hash is what gets stored in a website’s database. Even if a hacker were to steal that database, they wouldn’t see your actual password.

Use this analogy: your password is a secret ingredient in a recipe. You wouldn’t write that ingredient down in plain English in your cookbook, right? The same goes for passwords.

How is password hashing used to grant access?

Here’s how password hashing is used to grant access while keeping your password secure:

  • Registration: When you create an account, you choose a password.
  • Hashing: The website’s system immediately runs your password through a hashing algorithm. This creates a unique hash (that jumbled string of characters) corresponding only to your password.
  • Storage: The system stores this hash in its database, usually along with your username or email address. Crucially, it does not store your actual password.
  • Login: When you try to log in:
    • You enter your password.
    • The system takes the password you entered and runs it through the same hashing algorithm.
    • It compares the newly generated hash to the hash stored in the database.
    • If the hashes match precisely, the system knows you’ve entered the correct password and grants you access.

Why is this secure?

No plain text: Your real password is never stored, so even if a hacker gains access to the database, they won’t find passwords in a readable form.

  • One-way street: Hashing algorithms are designed to be one-way functions. It’s easy to generate a hash from a password but nearly impossible to reverse the process and get the original password from the secure hash.
  • Uniqueness: A secure hashing algorithm ensures that even tiny changes to a password (like changing a capital letter to lowercase) will result in a completely different hash. This prevents hackers from using common passwords or guessing techniques.

Let’s say your password is “P@ssw0rd123”. A hashing algorithm might turn it into something like “a94a8fe5ccb19ba61c4c0873d391e987982fbbd3”. This hash is what gets stored. When you log in and re-enter “P@ssw0rd123”, the system re-hashes it and sees that it matches the stored hash, allowing you in.

Strong vs. weak hash

Strong hash functions

  • Slow computation: A strong hash function is intentionally designed to be slow and computationally expensive. This makes it much harder for attackers to perform brute-force attacks (trying every possible password combination) or use precomputed rainbow tables (databases of hashes for common passwords).
  • One-way function: It’s mathematically infeasible to reverse-engineer a strong hash function to obtain the original input (the password). This means even if a hacker gets the hash, they can’t quickly determine the password.
  • Collision resistance: Two different passwords are unlikely to produce the same hash value. This prevents attackers from finding alternate passwords that would grant them access.
  • Salt support: Strong hash functions allow for the addition of a unique salt (random data) to each password before hashing, making precomputed attacks even less effective.
  • Adaptability: Strong hash functions can often be configured with parameters to adjust their computational complexity, keeping them secure even as computing power increases.

Examples of strong hash functions

  • bcrypt: A popular and widely-used algorithm known for its adjustable work factor (making it slower as hardware improves).
  • scrypt: Designed to be memory-hard, requiring more memory to compute, making it less susceptible to attacks using specialized hardware.

Weak hash functions

  • Fast computation: Weak hash functions are relatively fast and easy to compute, making them vulnerable to brute-force and rainbow table attacks.
  • Collision prone: They are more likely to produce the same hash value for different passwords, increasing the chances of an attacker finding a valid alternative.
  • Limited salt support: Some weak hash functions may not support salting or have limitations in how salt is implemented.

Examples of weak hash functions

  • MD5: Once widely used, but now considered very weak and easily cracked.
  • SHA1: A more secure successor to MD5, but still considered weak for password storage due to vulnerabilities discovered over time.

What is password salting?

Password salting is a security technique used to make password hashes even more resistant to cracking.

Let’s say your password is “password123.”

  • Without salt: The hash might be something like “cb58af8ceb1a7d18971d66721026604f4”
  • With salt (“xyz123”): The combined string (“password123xyz123”) produces a different hash, like “a9f3d6b0695e95240f69d54e628896d7”

Even if someone else has the same “password123,” their salt will differ, resulting in a unique hash.

Where should salted passwords be stored?

Salted passwords should be stored in a secure database alongside their corresponding salts.

  • Secure database: Use a reputable database system for storing sensitive data. Ensure the database is appropriately configured with strong access controls, encryption (at rest and in transit), and regular backups.
  • Separate table: Store user credentials (username/email, salted hash, salt) separately from other user data. This helps to limit the impact of a potential breach.
  • Hashing algorithm: Employ a strong, modern hashing algorithm like bcrypt, scrypt, or Argon2id. These algorithms are designed to be slow and computationally expensive, making it difficult for attackers to crack hashes even if they have the salt.
  • Unique salts: Generate a unique, random salt for each user and password combination. Avoid using predictable or easily guessable salts.
  • Salt length: Use a salt that is at least as long as the output of the hashing algorithm. A common recommendation is to use a 32-character (or longer) salt.
  • Limited access: Restrict access to the database containing user credentials to only authorized personnel or applications.
  • Regular auditing: Regularly audit the database security and monitor for suspicious activity.

The benefits of password hashing

Security benefits

  • Protection against data breaches: Even if hackers access your database, they cannot easily obtain users’ actual passwords. Hashes are not reversible, so the original passwords remain hidden.
  • Mitigation of rainbow table attacks: Salting ensures that even identical passwords result in different hashes, rendering precomputed rainbow tables useless for attackers.
  • Protection against credential stuffing: Credential stuffing attacks involve using stolen passwords from one site to gain access to other accounts. Hashing with unique salts prevents attackers from directly using stolen hashes across different platforms.

User benefits

  • Increased trust: Users are more likely to trust websites and applications that implement strong password hashing, as it demonstrates a commitment to security.
  • Protection of personal information: Hashing helps safeguard sensitive personal information tied to accounts, such as financial data or addresses.
  • Reduced risk of identity theft: By protecting passwords, hashing reduces the risk of unauthorized access to accounts and the subsequent theft of personal information for fraud.

Business benefits

  • Regulatory compliance: Many data protection regulations and industry standards require the use of strong password hashing to protect user data.
  • Reputation management: A data breach resulting from weak password security can severely damage a company’s reputation. Hashing helps mitigate this risk.

Limitations of hash functions

While hash functions are a powerful tool in cryptography and security, they have some inherent limitations that are important to be aware of:

  • Inevitability: Since hash functions map potentially infinite input data to a fixed-size output, collisions (where two different inputs produce the same hash) are mathematically inevitable.
  • Algorithm strength: The effectiveness of hashing relies heavily on the chosen algorithm. Weak or outdated algorithms are vulnerable to various attacks and should not be used for security-sensitive applications.
  • Potential threat: The advent of quantum computers threatens the security of many current hash functions. Quantum algorithms like Grover’s algorithm could significantly speed up brute force attacks, potentially rendering some hash functions obsolete.

How is hashing different from encryption?

Hashing is used to verify that data hasn’t been altered and to store passwords securely. Encryption is used to keep data private during transmission or storage. While both are important security tools, they serve different purposes and shouldn’t be confused or used interchangeably.

HashingEncryption
PurposeData integrity, password storageData confidentiality, secure transmission
ProcessOne-way (irreversible)Two-way (reversible with the correct key)
Output lengthFixed (e.g., 256 bits for SHA-256)Output length
KeyNo key requiredRequires an encryption and decryption key
ReversibilityPractically impossiblePossible with the correct key

Is hashing sufficient to keep passwords safe?

Hashing is an essential tool for password security, but it’s most effective when used with other security measures. Using a multi-layered approach, website owners can significantly reduce the risk of password compromise and protect their users’ sensitive information.

Best practices for password management and hashing

Ensuring secure password security involves a combination of user best practices and sound system-level implementations.

Users should prioritize creating strong, unique passwords at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. Avoiding personal information and utilizing password managers can further bolster security. Enabling two-factor authentication (2FA) provides extra protection against unauthorized access.

FAQs

Related content:

What is zero-trust security?

Zero-trust security assumes no user, device, or network traffic should be trusted by default, even within the organization’s network.

What is risk-based authentication?

Risk-based authentication (RBA) dynamically assesses the risk level of each login attempt or transaction based on the risk and context.

What is passwordless authentication?

Passwordless authentication is a way to identify your identity without using a password. Instead, it uses more secure alternatives like possession factors or biometrics.

Status Data: Security and privacy in conversational banking

Discover the challenges and solutions for secure conversational banking. Get expert insights from Stephen Gilmore, owner of Status Data.

Dating app security: Prevent romance scams and connect verified users

Help your users avoid the heartache of romance scams by keeping them safe with Mobile Identity.

What is Biometric Authentication?

Biometric authentication performs identification and authentication based on recognizable and verifiable data that is unique and specific to that person.

Everything you need to know about generative AI and security

Generative AI is here and we marvel at its astounding powers. But, can these powers be used for more nefarious purposes? Read to find out more!

Table of contents

Jul 22nd, 2024
8 min read